Counterintelligence

Spotting the Suspicious & Reporting the Threat

What is Counterintelligence?

The U.S. is increasingly the target of foreign-based cyber operations. We rely on its cyber infrastructure for everything from communications, to the management of critical infrastructure, to the command and control of our military. This dependence on technology, along with the rapid rate of technological innovation, creates numerous vulnerabilities that our adversaries seek to exploit.

Foreign adversaries can conduct cyber operations to collect intelligence or to disrupt and degrade the effectiveness of the technologies on which we depend. Cyber operations are very attractive to foreign intelligence organizations, non-state actors, criminals and terrorists because they can be conducted relatively cheaply and easily and offer high returns with a low degree of risk. The risk of exposure is low because cyber operations can be carried out remotely and with a high degree of anonymity. In addition, cyber operations are comparatively inexpensive, and can be conducted rapidly. For all of these reasons, state and non-state actors are increasingly turning to the cyber domain to augment and bolster their respective intelligence activities against the U.S. in an effort to gain advantage.

The Role of Counterintelligence

Counterintelligence plays a critical role in reversing the benefits that cyber operations afford our adversaries. Insider threat detection programs can increase the likelihood of identifying insider threat activities on our networks. CI collection and analysis increases our understanding of cyber threats and how to defend against them. For these reasons, counterintelligence plays a critical role in enhancing the cybersecurity posture of the U.S. in an increasingly connected world.

Cybersecurity Exploitation Methods

Spear Phishing

An email spoofing fraud attempt that targets a specific organization (or more accurately, specific users within that organization), seeking an unauthorized access to confidential data. Spear phishing attempts are not typically initiated by “random hackers” but are more likely to be conducted by perpetrators out for financial gain, trade secrets or military information. It is one of the most common ways malware is delivered. They use very effective methods to disguise the email as being genuine and use social engineering tricks to encourage the individual to carry out the instructions in the email or to click on links provided. This approach has a low risk for the sender and potentially high pay-offs.

Whale Phishing

A term used to describe a phishing attack that is specifically aimed at wealthier individuals. Because of their relative wealth, if such a user becomes the victim of a phishing attack he can be considered a “big phish,” or, alternately, a whale.

Watering Hole

These attacks use compromised third party websites. The attacker seeks to compromise a specific group of end users by infecting websites that members of the group are known to visit. The goal is to infect a targeted user’s computer and gain access to the network at the target’s place of employment.

Removable Media

(USB Devices) can provide a means to quickly spread malicious software from a trusted user. They can be use to initiate attempted intrusions. USB devices are ubiquitous and used prolifically inside many organizations although their use on DoD networks are largely blocked or prohibited.

Reporting the Threat

NISPOM (National Industrial Security Program Operating Manual) states “Contractors shall report efforts by an individual, regardless of nationality, to obtain illegal or unauthorized access to classified information or to compromise a cleared employee.” Cleared contractors must also report actual, probable or possible espionage, sabotage, terrorism, subversion to the FBI and DSS (NISPOM I-301).

If your company is subject to the DFARS Rule 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting,”then you have an additional mandatory reporting requirement. Contractors must report, within 72 hours of discovery, a reportable cyber incident. Contractor must report the incident to DoD via http://dibnet.ded.mil. Subcontractors must report incidents to their prime contractor under the DFARS UCTI rule, or to their prime contractor and the DoD under the DFARS SP800-171 rule.